Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Practices

320 views

Published on

In organizations that use DevOps practices, software changes can be deployed as fast as 500 times or more per day. Without adequate involvement of the security team, rapidly deployed software changes are more likely to contain vulnerabilities due to lack of adequate reviews. The goal of this paper is to aid software practitioners in integrating security and DevOps by summarizing experiences in utilizing security practices in a DevOps environment. We analyzed a selected set of Internet artifacts and surveyed representatives of nine organizations that are using DevOps to systematically explore experiences in utilizing security practices. We observe that the majority of the software practitioners have expressed the potential of common DevOps activities, such as automated monitoring, to improve the security of a system. Furthermore, organizations that integrate DevOps and security utilize additional security activities, such as security requirements analysis and performing security configurations. Additionally, these teams also have established collaboration between the security team and the development and operations teams.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Practices

  1. 1. 1 Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Practice Akond Rahman(aarahman@ncsu.edu), and Laurie Williams Department of Computer Science, North Carolina State University
  2. 2. 2 Why Security in DevOps? • Ensuring quality even when software deployment is rapid • Adoption concerns
  3. 3. 3 Research Objective Aid software practitioners in integrating security and DevOps by summarizing experiences in utilizing security practices in a DevOps environment.
  4. 4. 4 Background • DevSecOps is the concept of integrating security principles through increased collaboration • We differentiate between ‘activity’, and ‘security practice’. – A DevOps activity focuses on achieving a small, well- defined goal that has a tangible output. – A security practice is a collection of activities that can be grouped based on existing similarities within those activities.
  5. 5. 5 Our Contributions • A list of DevOps activities that might have a positive and negative impact • A list of security practices and an analysis of how they are used in DevOps organizations • An analysis that quantifies the levels of collaboration
  6. 6. 6 Research Questions • RQ1: Perception. How do software practitioners perceive the integration of DevOps and security? What DevOps related activities contribute to those perceptions? • RQ2: Security Practices. What security practices are used by organizations that integrate security into DevOps?
  7. 7. 7 Methodology 66 Internet artifacts66 Internet Artifacts Nine DevOps Organizations
  8. 8. 8 RQ1: Identified Perceptions • Positive Perceptions – Use of automated monitoring – Use of automated pipeline to deploy software – Automatic deployment of software – Automatic testing of software changes – Delivering software in small increments
  9. 9. 9 RQ1: Identified Perceptions • Negative Perceptions – Use of immature automated deployment tools – Use of inappropriate software metrics – Inadequate monitoring of collaboration
  10. 10. 10 RQ2: Identified Automated Activities • Automation of Code Review • Automation of Monitoring • Automation of Software defined Firewall • Automation of Software Licensing • Automation of Testing
  11. 11. 11 RQ2: Identified Non-Automated Activities • Design Review • Input Validation • Isolation of Untrusted Inputs • Performing Compliance Requirements • Performing Security Configurations • Performing Security Policies • Security Requirements Analysis • Performing Manual Security Tests • Risk Analysis • Threat Modeling
  12. 12. 12 RQ1: Empirical Findings – Positive Aspects (Internet Artifacts) 0 1 2 3 4 5 6 7 8 9 10 Automated monitoring Automated pipeline Automated deployment Automated testing Delivering software in small increments CountofInternetArtifacts
  13. 13. 13 RQ1: Empirical Findings – Negative Aspects (Internet Artifacts) 0 1 2 Use of immature automated deployment tools Use of inappropriate software metrics Inadequate monitoring of collaboration CountofInternetArtifacts
  14. 14. 14 RQ2: Empirical Findings – Automation Practices (Internet Artifacts) 0 2 4 6 8 10 12 14 16 18 20 Automation of monitoring Automation of testing Automation of code review Automation of software licensing Automation of software defined firewall CountofInternetArtifacts
  15. 15. 15 RQ2: Empirical Findings – Non Automation Practices (Internet Artifacts) 0 1 2 3 4 5 6 Security requirements analysis Performing security configurations Performing security policies Performing manual security tests Performing compliance requirements Design review Input validation Isolation of untrusted inputs Threat modeling Risk analysis CountofInternetArtifacts
  16. 16. 16 RQ1: Empirical Findings – Positive Aspects (Survey) 0 1 2 3 4 5 6 7 8 9 Use of automated monitoring Use of automated pipeline to deploy software Automatic deployment of software Automatic testing of software changes Delivering software in small increments CountofOrganizations Yes No
  17. 17. 17 0 1 2 3 4 5 6 7 8 9 Automation of monitoring Automation of testing Automation of code review Automation of software defined firewall Automation of software licensing CountofOrganizations Yes No RQ2: Empirical Findings – Automation Practices (Survey)
  18. 18. 18 0 1 2 3 4 5 6 7 8 9 Performing security policies Performing manual security tests Input validation Performing compliance requirements Performing security configurations Risk analysis Isolation of untrusted inputs Threat modeling Design review Security requirements analysis CountofOrganizations Yes No RQ2: Empirical Findings – Non Automation Practices (Survey)
  19. 19. 19 0 1 2 3 4 5 6 7 8 9 Dev&Ops Dev&Sec Sec&Ops CountofOrganizations Lowest Low Moderate High Highest RQ2: Empirical Findings – Collaboration (Survey)
  20. 20. 20 Summary • Answer to RQ1: – A certain set of DevOps activities are perceived to be beneficial for system’s security • Answer to RQ2: – A certain set of DevOps specific automated and non-automated activities are used to implement security – Moderate to strong collaboration exists between teams
  21. 21. 21 Limitations • Incomprehensive set of Internet artifacts • Incomprehensive set of security practices • Generalizability of empirical findings • Impact of collaboration on practice usage
  22. 22. 22 Conclusion • Commonly used DevOps activities can be helpful to a system’s security. • Security teams actively collaborate with development and operations teams in established DevOps organizations. • Security awareness is prevalent amongst established DevOps organizations

×